Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 02 Mar 2016 08:53:51 -0500
From: Steve Grubb <sgrubb@...hat.com>
To: oss-security@...ts.openwall.com
Cc: Kurt Seifried <kseifried@...hat.com>, Bob Beck <beck@...nbsd.org>,
        CVE ID Requests <cve-assign@...re.org>
Subject: Re: Re: CVE's for SSLv2 support

On Tuesday, March 01, 2016 09:16:05 PM Kurt Seifried wrote:
> On Tue, Mar 1, 2016 at 9:03 PM, Bob Beck <beck@...nbsd.org> wrote:
> > While you certainly won't see me defending SSLv2 (I think we were the
> > first to delete it outright)
> > there are many other things that currently fall into that category..
> > I'm agreeing with your sentiment
> > but if you are to consider usage of SSLv2 as CVE worthy, then you will
> > need to do the same for SSH version 1,
> > among other things.   So while I certainly appreciate and even agree
> > with your sentiment, it seems rather timed
> > politically based on a decision made by one implementaiton of SSL/TLS
> > that reflects a decision made by most other
> > implementations long ago.   So far from me to say what CVE's should
> > and shouldn't be used for and issued for, but
> > if this is the road we're going down can I please have permission to
> > use your above quoted paragraph
> > with s/SSLv2/SSH V1/g to request a CVE for *usage or support* of SSH
> > version 1? You said it perfectly.
> 
> I would be totally fine with that, SSH protocol v1 is long overdue for
> "needs to be taken out back and shot along with whoever enabled it by
> default". From OpenSSH's sshd_config:
> 
> # The default requires explicit activation of protocol 1
> 
> I think that says it all.

I'm not entirely sure that CVE is the right vehicle to express the issue. 
Exploitation of this would be an attacker uses code to exploit a poor 
implementation or design problem. There are code weaknesses tracked by CWE, 
vulnerabilities in implementations tracked by CVE, and attacks tracked by 
CAPEC. They reference each other as follows CAPEC->CVE->CWE.

Maybe a CWE somewhere in this category is what you are after:
https://cwe.mitre.org/data/definitions/958.html

-Steve

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.